The Latest in IT Security

’60 Minutes’ BIOS Plot May Be NSA Invention

17
Dec
2013

News, an old journalistic adage goes, is what someone, somewhere wants to suppress. All the rest is publicity. The two-segment piece CBS News 60 Minutes aired last night (Dec. 15) on the National Security Agency (NSA) was terrific publicity. Half a dozen NSA officials, including Director Gen. Keith Alexander, calmly explained how the NSA protects America from terrorists without treading harshly on Americans privacy. Not a single critic of the agency was interviewed, or even named. And then there was this scoop: The NSA stopped a catastrophic Chinese scheme, called the BIOS plot, to destroy every computer in the world. MORE: 12 More Things You Didnt Know Could Be Hacked Think about the impact of that across the entire globe, NSA Director of the Information Assurance Directorate Debora A. Plunkett told CBS reporter John Miller. It could literally take down the U.S. economy. That was news to many security experts, who had never before heard of the BIOS plot, even though 60 Minutes asserted that computer manufacturers had worked with the NSA to close this vulnerability. Such an undertaking would have been well known in the information-security community. Plunkett gave only the barest outline of the supposed Communist scheme, not specifying when and how the plot was uncovered and foiled. CBS confirmation of the plots existence and provenance relied on unnamed cybersecurity experts briefed on the operation who told us it was China. Security experts arent buying it. How BIOS malware works There is probably some real event behind this, but its hard to tell, because we dont have any details, wrote Robert Graham, CEO of Atlanta penetration-testing firm Errata Security, on his blog last night. Its completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm. Its technically possible to craft the kind of attack Plunkett described — a fake firmware update that infects the Basic Input/Output System (BIOS), a small piece of software built into the motherboards of most personal computers. (Macs and some recent Windows machines dont use BIOS.) So, Miller said during the interview, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do. Thats right, replied Plunkett. And basically turned it into a cinderblock, Miller said. A brick, Plunkett said, using the common techie term for a completely nonfunctional piece of hardware. BIOS malware has been around for at least 15 years, and it wouldnt take much coding to corrupt the BIOS of an older motherboard so that it couldnt boot. (To repair the computer, the BIOS chip could be replaced or reprogrammed.) Newer BIOSes have security safeguards to prevent such attacks — but again, none of that is news. Theres no special detail here, Graham wrote. All [Plunkett and the NSA] are doing is repeating what Wikipedia says about BIOS, acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jefferies tubes. Stripped of techie talk, Graham said, this passage simply says The NSA foiled a major plot, trust us. Why China wouldnt destroy American computers Other security experts questioned why China would want to destroy American computers at all, especially considering how interlinked the two countries economies are, and how keeping infected computers running is much more advantageous for cyberspies. The problem I have with #60Minutes NSA story is that the BIOS story isnt believable, tweeted Grahams colleague, Errata Chief Technology Officer David Maynor. If an enemy developed that attack, why brick the boxes? I dont think that China, or anyone else on this planet, would damage the economy of the USA, for the simple reason that they would ultimately do damage to themselves (and their country/employer), Avira researcher Sorin Mustaca told the Softpedia blog. I would fully understand if a government would try to control the computers in the U.S. (especially those that are critical), Mustaca said, but I dont understand why would anyone would want to destroy them. In a behind-the-scenes video clip posted online, CBS News explained that the NSA approached the news organization about doing the piece, and that the agency reviewed the story before it was aired. Its not clear whether Miller was hand-selected by the NSA to report the story, but hes not a regular 60 Minutes correspondent. Miller has worked extensively as both a reporter — he traveled to Afghanistan in 1998 to interview Osama bin Laden — and also as a government official. Miller has worked for the New York Police Department, the Los Angeles Police Department, the FBI and the Office of the Director of National Intelligence. He is reportedly being considered for another top job at the New York Police Department. To get another side of the NSA story, read Ryan Lizzas long but very informative piece in this weeks New Yorker magazine about the NSA. Its all online for free. Lizza himself had some words after watching 60 Minutes last night. Wow, the 60 Minutes piece about the NSA was just embarrassing, tweeted Lizza. Kudos to the NSA communications staff. You guys should get a raise. Follow Paul Wagenseil at  @snd_wagenseil . Follow Toms Guide at @tomsguide, on Facebook and on Google+. 10 Classic Gaming Consoles You Should (and Can) Still Play Bogus Bitcoin Tip Targets Gullible Mac Owners 8 Best Computer Protection Software Products Copyright 2013 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Comments are closed.

Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments